[lxc-devel] [lxd/master] NIC Bridged: Dont load br_netfilter

Fri, 17 Apr 2020 09:16:22 -0700 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7217

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
This can cause unwanted traffic blocks in its default mode so don't try and load it.

Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>

From a6177995499dde2e27e52d610ed64547d2797164 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Fri, 17 Apr 2020 17:13:57 +0100
Subject: [PATCH] lxd/device/nic/bridged: Dont load br_netfilter

This can cause unwanted traffic blocks in its default mode so don't try and 
load it.

Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
 lxd/device/nic_bridged.go | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/lxd/device/nic_bridged.go b/lxd/device/nic_bridged.go
index 5807c82274..5ab6c41df0 100644
--- a/lxd/device/nic_bridged.go
+++ b/lxd/device/nic_bridged.go
@@ -537,22 +537,16 @@ func (d *nicBridged) setFilters() (err error) {
        }
 
        if shared.IsTrue(d.config["security.ipv6_filtering"]) {
-               // Ensure the correct br_netfilter kernel module is loaded 
before checking for bridge filtering
-               // support in iptables.
-               err := util.LoadModule("br_netfilter")
-               if err != nil {
-                       return errors.Wrapf(err, "Error loading %q module", 
"br_netfilter")
-               }
-
-               // Check br_netfilter is loaded and enabled for IPv6.
+               // Check br_netfilter kernel module is loaded and enabled for 
IPv6. We won't try to load it as its
+               // default mode can cause unwanted traffic blocking.
                sysctlPath := "net/bridge/bridge-nf-call-ip6tables"
                sysctlVal, err := util.SysctlGet(sysctlPath)
                if err != nil {
-                       return fmt.Errorf("Error reading net sysctl %s: %v", 
sysctlPath, err)
+                       return errors.Wrapf(err, "security.ipv6_filtering 
requires br_netfilter be loaded")
                }
 
                if sysctlVal != "1\n" {
-                       return fmt.Errorf("security.ipv6_filtering requires 
br_netfilter and sysctl net.bridge.bridge-nf-call-ip6tables=1")
+                       return fmt.Errorf("security.ipv6_filtering requires 
br_netfilter sysctl net.bridge.bridge-nf-call-ip6tables=1")
                }
        }
 

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to